Broken Authentication

WHAT IS BROKEN AUTHENTICATION?

Broken authentication is #2 on the latest (2017) OWASP Top 10 list. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

Due to poor design and implementation of identity and access controls, the prevalence of broken authentication is widespread. Common risk factors include:

Predictable login credentials
User authentication credentials that are not protected when stored
Session IDs exposed in the URL (e.g., URL rewriting)
Session IDs vulnerable to session fixation attacks
Session value that does not time out or get invalidated after logout
Session IDs that are not rotated after successful login
Passwords, session IDs, and other credentials sent over unencrypted connections

Back to Listing

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

"Contrast speeds up the delivery pipeline – we fix issues earlier in the development lifecycle. Great for any company trying to achieve a DevSecOps approach to application security.”

Contrast Incident Response Hub

Broken Authentication

WHAT IS BROKEN AUTHENTICATION?